The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How to propose a security audit / pen-test

Hello guys!

I have discovered some vulnerable websites owned by companies and organizations of my country. These websites have critical vulnerabilities. On some it is possible to do an unauthorized login, on others to run any SQL command and delete/create/modify files, to name a few.

I would like to know how I can approach these organizations and propose a vulnerability assessment on these websites.
- Should I (phone) call them? If so, what should I say?
- Should I write a letter? If so, what should be the template and contents?

And what about a (full) security audit?

If you know of a website or book that addresses these issues I would appreciate!

NOTE: I am very interested in how to contact them and sign a contract ($$$) with them.

I think it is a big oportunity for me to make some $. I don't know anyone else who can help them and I am sure they don't know how to fix the vulnerabilities.

I'm not a security contractor nor any sort, but personally I despise receiving offers; most companies will find what they need on their own. This scenario is an exception.

I would consider the type of company they are and how critical their data is. I would then contact them depending on the type of information they store. If it was a financial institution, I would contact them in person if possible; if it were a non-critical data analysis website, I would simply call or email.

If you cannot do it in person, send a professional packet explaining as much without compromising your own business opportunity. Call a week later if you have not heard from them.

Phone can be an excellent method, but some potential clients may not have the time to talk on the phone and prefer to read when they have time. On the same token, some clients may throw your letters away without glancing at them.

I consider the following the best methods of communication in order:
- In Person
- Letter
- Email
- Phone

Personally, if the website looks like it can afford web security, I would use all of them. Some companies have a vulnerable website because they are too cheap to get it done right.

I'm not a marketing professional or business man of any sort; it's just my opinion. Hope I didn't waste your time.

Edit: Additionally, you seem young. If you are, business owners will definitely question your capabilities. You don't want to attempt to overwhelm them with computer gibberish to convince them. If you see them in person, wear nice clothes. Don't act mature or professional; be mature and professional. Look at everything from their stand point; they want results.

I'm not a lawyer but I suspect you're treading in a dubious area of legality performing unauthorised pen-tests on sites to find these flaws. You're almost certainly breaking the T&C of your ISP. It's not a good starting point from which to form a business relationship, even when you're potentially doing other businesses a favour.

Approaching companies on the basis of 'I know there's stuff wrong with your site' would need to be approached very carefully as whether right or wrong it could possibly be misconstrued as an offer heading towards blackmail, or be taken as unlawful intrusion (e.g Gary McKinnon).

Large corporations are extremely unlikely to provide the access required to carry out a full security audit to an unproven outsider without any credentials, history or proven track record.

In the scenario they refuse your services, and then the site gets hacked directly afterwards, then you'd likely be in the direct firing line of any subsequent investigation.